Oil giant Shell discloses data breach linked to Accellion FTA vulnerability

Shell has disclosed a data breach involving stakeholders that exposed personal information records. 

The oil and gas company said an unknown threat actor managed to gain access to "various files" during the time of intrusion which included personal data and information "from Shell companies and some of their stakeholders."

Shell has not disclosed how many individuals are involved in the security incident beyond saying that impacted parties have been contacted, alongside law enforcement agencies and regulators. 

The firm added that it does not appear core IT systems have been compromised, as the route of access was isolated from the rest of Shell's central infrastructure. 

However, the data breach has been connected to Accellion's File Transfer Appliance (FTA), enterprise software used to transfer large files -- and a solution linked to a string of security incidents in December 2020 and January 2021. 

Accellion FTA, a legacy product that has now been formally retired, contained a zero-day vulnerability that was patched within three days of the vendor being made aware of active attacks utilizing the security flaw. 

However, thousands of organizations worldwide rely on the appliance, leading to a string of attacks against high-profile corporations and government entities. 

The first case was reported by the Reserve Bank of New Zealand. Organizations including the Australian Securities and Investments Commission (ASIC), Singtel, and Qualys soon followed. 

FireEye's Mandiant team was pulled in to conduct an assessment of the Accellion FTA vulnerability, finding two further vulnerabilities -- albeit accessible only by authenticated FTA users -- and all bugs, as of now, have been resolved in FTA. If systems remain unpatched, however, they also remain vulnerable to exploit. 

The companies said in February that threat group FIN11 has been connected to the FTA zero-day exploit activity. 

"Out of approximately 300 total FTA clients, fewer than 100 were victims of the attack," Accellion said. "Within this group, fewer than 25 appear to have suffered significant data theft."

CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, and CVE-2021-27104 have now been reserved to track associated vulnerabilities. 

Users of Accellion FTA are recommended to switch to Kiteworks. 

"We will continue to monitor our IT systems and improve our security," Shell says. "We regret the concern and inconvenience this may cause the affected parties."

Update 29/3 17.33 BST:

On March 29, the Clop ransomware group published data allegedly belonging to Shell. The screenshots, viewed by ZDNet, appear to shop copies of visa documents, passports, and company evaluation reports, among other records.

ZDNet has reached out to Shell with additional queries and we will update when we hear back. 

Previous and related coverage

• The biggest hacks, data breaches of 2020
  
• Maza Russian cybercriminal forum suffers data breach
  
• Popular remote lesson monitoring program could be exploited to attack student PCs
  

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0